iPhone worm attacks jailbroken iPhones with default password

It didn't take long for someone to write a genuine worm that could infect …

The first known malware worm for the iPhone is targeting jailbreakers running SSH and default root passwords, "rickrolling" vulnerable iPhones by replacing the wallpaper image with an image of '90s pop star Rick Astley. The image also includes a boast that hacker "ikee" is "never gonna give you up." While the hack is apparently harmless, it serves as another reminder of the potential security vulnerability that jailbreaking can cause.

Unlike the hack we reported last week, this malware can spread itself to other vulnerable devices that are accessible to an infected phone. The worm scans the network, looking for jailbroken phones with an open SSH port and attempts to use the default passwords. At least four variants exist in the wild, the latter of which makes an attempt to hide itself by burying the code in a filepath that looks like the path for Cydia, a jailbreak app installer.

The worm seems to have originated on the Optus mobile network in Australia and primarily spread to other Optus phones in other countries. It doesn't appear to have spread as widely to other networks, which typically use network address translation that makes directly addressing a particular phone more difficult. Again, this only affects iPhones that have been jailbroken, have SSH running, and—despite warnings to the contrary—still have the default passwords set.

The impetus seems to be boredom and a desire to hassle those who can't be bothered to change their password as recommended when installing SSH software. "People are stupid, and this is to prove it," reads a comment in the worm code. "So RTFM, its not thats hard guys. But hey who cares its only your bank details at stake [sic]."

That doesn't mean someone else couldn't use the idea or the code to add a more malicious payload—perhaps something that monitors for password entry or grabs the aforementioned bank details. If you jailbreak, just be on the safe side and change the default passwords for root and for the "mobile" user.

Reports of hacks like these infecting jailbroken iPhones are only likely to inspire Apple to further lock down the iPhone OS to a point that could make jailbreaking a thing of the past. Don't say we didn't warn you.

Im sorry, but if you jailbreak your phone and then use it to manage your bank account, you are asking for something. Dont manage your important personal data on a device running a hacked OS. Its just a bad idea.

Should read:But hey, who cares, it's only your bank details at stake./grammar nazi

Well, yes, I realize that but [sic] generally immediately follows the error. This reads as if stake was used improperly. If that was the intent it should really be "But hey [sic] who cares [sic] its [sic] only your bank details at stake."

Not all jailbroken iPhone and iPod Touches have SSH installed, and those that do choose to install it SHOULD know enough about it to have the common sense to change their default passwords. I'm sure Apple will do whatever they can to lock down the OS to the point where jailbreaking is impossible. That will also be the day that I leave the iPhone OS behind for good. Sorry Apple, but if OS X was locked down nearly as much as you want the iPhone OS to be, I never would have bought a Mac either.

How does this spread? It scans the network for jailbroken phones with SSH installed. What does that mean?

Tell me if this is correct:

My jailbroken phone with SSH and default password joins a wireless network at Starbucks. On connect, the backgrounded malware does some kind of port sniffing on the wireless network and attempts to connect via SSH to every device attached. It hits other jailbroken SSH iPhones and executes code and copies itself.

Reports of hacks like these infecting jailbroken iPhones are only likely to inspire Apple to further lock down the iPhone OS to a point that could make jailbreaking a thing of the past. Don't say we didn't warn you.

What does this have to do with anything? This news has no bearing whatsoever on Apple locking out jailbreak mechanisms.

Apple have been locking out jailbreaks and working on patching vulernabilities since iPhone OS 1.0 and they'll continue to do so. And, really, they're patching vulnerabilities -- vulnerabilities that, while allowing for jailbreaking, also allow for nefarious uses should someone have physical access to the device.

quote:

How does this spread? It scans the network for jailbroken phones with SSH installed. What does that mean?

I don't believe wifi is even used, unless it falls within the "random 20 IP ranges," but rather the 3G network you're connected to.

quote:

[09:11] <JD> Are you aware that it has even started to replicate itself overseas?[09:13] <ikee> I heard a few stories about it, that would have been sheer luck, the code itself is set to firstly scan the 3G IP range the phone is on, then Optus/Vodafone/Telstra's IP Ranges (I think the reason Optus got hit so hard is because the other 2 are NAT'd) then a random 20 IP ranges. I'm guessing a few phones hit a range that another vulnerable phone was on.

Originally posted by ayelao:This news has no bearing whatsoever on Apple locking out jailbreak mechanisms.

As far as the press is concerned, there is now a virus that attacks iPhones. That's pretty much the last thing Apple wants people to hear, and I'd be surprised if their response didn't include trying to make it even harder to jailbreak the things.

Originally posted by Muriac:As far as the press is concerned, there is now a virus that attacks iPhones. That's pretty much the last thing Apple wants people to hear, and I'd be surprised if their response didn't include trying to make it even harder to jailbreak the things.

Which is precisely what I attempted to address in my statement. They've been doing that since day 1 of a jailbreak release; this news has no bearing on that course of action.

Since the article lacks any definitive analysis of the issue, other than a rehash, I'm left with what little analysis is present. The quoted portion of the article seems content to draw a parallel between a script kiddy's use of one idiotic user-induced vulnerability to legitimate security patches by Apple with regard to jailbreaking.

EDIT: In other words, I agree that this may cast a small light on those efforts, but the sentence structure of the quoted portion of the article makes it seem as though Apple has now had a revelation and will now begin efforts to lock down the platform such that jailbreaking is impossible. That's been their goal all along.

Well, this not only requires to jailbreak your phone. It also requires *installing* ssh (it's not installed by default) and then *not* changing your password. I mean, installing ssh, reading up the default password to log in and then leaving it as it is really requires some actively applied ignorance.

Anyway, jailbroken phones have loads of stuff installed that comes from some quite dark places of the net, with no easy way to track down the authors and no way to look at the sources of most apps. This worm is not the worst that can happen. While I don't like the control Apple exercises over the iPhone, Cydia is actually even worse. It totally lacks the openness of the Linux ecosystem and requires you to trust unknown people offering black-box binaries having full access to everything on the phone. While I think that most developers of code for jailbroken phones have no evil intentions at all, there's just too good an opportuntiy to not have someone yielding to the temptation sooner or later.

Originally posted by Dillinger:Im sorry, but if you jailbreak your phone and then use it to manage your bank account, you are asking for something. Dont manage your important personal data on a device running a hacked OS. Its just a bad idea.

Frankly, that comment shows a lack of understanding. The problem is not that the device has been modified. It's not worse an idea than running a Linux distro you downloaded off the net. In fact it's just as dangerous as doing it on any computer on which one has used admin privileges to install software once (i.e. nearly 100% of computers).

Generally, an unmodified cell phone is safer than all of the above, but that doesn't make a jailbroken phone inherently unsafe.

What is unsafe here is the use of technology unfit for general consumption. People make modifications they don't understand.

quote:

Originally posted by chaos_disorder:Not all jailbroken iPhone and iPod Touches have SSH installed, and those that do choose to install it SHOULD know enough about it to have the common sense to change their default passwords.

Even if you do know better, the process is prone to errors. Every time you update (not only restore!) the iPhone, the passwords are reset. It's easy to forget at least once. (I once noticed after a week or so I hadn't done so, yet.)Unfortunately it's not only about common sense, but manual, repetitive work. It's not well designed. Imagine a popular computer software that offers an internet-visible service and uses the same default password everywhere? That would mean instant disaster. Whoever is responsible for the sshd port really screwed up here

Reports of hacks like these infecting jailbroken iPhones are only likely to inspire Apple to further lock down the iPhone OS to a point that could make jailbreaking a thing of the past.

"...further lock down...," as in additional attempts on top of what Apple has already done. Just like you said. In no way do I imply that Apple hasn't made any previous effort to fix vulnerabilities that enable jailbreaking; the use of "further" implies, if anything, that there logically exists a previous effort. However, to the average person (which is the vast majority of iPhone users, not tech-savvy geeks) it sounds like "iPhones have viruses." No matter how much we in the tech press try to stress that the problem is only for people that hack their iPhones without requisite understanding of security implications, that's still news Apple doesn't want coming out.

Locking down the iPhone to prevent jailbreaking eliminates the problem for Apple—not to mention issues of piracy or apps that violate carriers terms of service. The side benefit that a lot of people enjoy—using software that is otherwise legal but Apple won't approve for sale, is something we all lose.

It just goes to show that people want customizations on their damn phone and Apple should just give it to them. I never would have jailbroken if Backgrounder, SBSettings, Winterboard, and Lockscreen Info were standard apps.

Reports of hacks like these infecting jailbroken iPhones are only likely to inspire Apple to further lock down the iPhone OS to a point that could make jailbreaking a thing of the past. Don't say we didn't warn you.

Apple has already bricked jailbroken phones in the past, I'm pretty sure they're doing all they reasonable can to lock it down already.

But basically, part of the phone will need admin privileges and if you're the local user it's going to be a fairly trivial task to access that (it may be a harder task to keep up with Apple in the future, but where there's a will there's a way). It's a shame Apple just doesn't give up, how many other systems do people use where the purchaser and primary user don't have admin rights?

I also love the idea of this worm, the vector of attack was already known and Apple probably won't be fixing it, it's going to fall to the users. And they now have a blatant warning to fix the thing, it should be done with more security holes (like the millions who don't patch their desktops)

Originally posted by uhuznaa:Well, this not only requires to jailbreak your phone. It also requires *installing* ssh (it's not installed by default) and then *not* changing your password. I mean, installing ssh, reading up the default password to log in and then leaving it as it is really requires some actively applied ignorance.

Exactly.

quote:

Anyway, jailbroken phones have loads of stuff installed that comes from some quite dark places of the net, with no easy way to track down the authors and no way to look at the sources of most apps. This worm is not the worst that can happen. While I don't like the control Apple exercises over the iPhone, Cydia is actually even worse. It totally lacks the openness of the Linux ecosystem and requires you to trust unknown people offering black-box binaries having full access to everything on the phone. While I think that most developers of code for jailbroken phones have no evil intentions at all, there's just too good an opportuntiy to not have someone yielding to the temptation sooner or later.

And again, exactly. Nowhere do I say jailbraking = haxord, but along with jailbreaking comes a lot of stuff that frankly the average user just isn't prepared to deal with. Maybe it would have been better of jailbreak tools remained command-line only.

For a similar anology: If a few people are throwing together hacked bootloaders and a few KEXTs to mac a hackintosh for personal use, Apple has no good reason to go after them. When someone like Psystar starts trying to make a business of ripping off Apple's OS without a licensing agreement, then crap like possibly dropping Atom support happens.

I don't believe wifi is even used, unless it falls within the "random 20 IP ranges," but rather the 3G network you're connected to.

Currently that would be correct, but our friendly jack-ass hacker who released this also released the source code, which can easily be modified to scan the current WiFi network, or both WiFi and 3G/EDGE. Also, script kiddies who never came up with the intrusion method can easily insert their own (much more malicious) payloads, now that the way has been pointed out to them.

My testing shows that AT&T blocks incoming SSH connections on the 3G data network. Assuming I am correct, US iPhone users are relatively safe from this, unless they happen to be on a WiFi network with an infected phone AND as you point out that phone selects that particular network range to attack randomly.

Nevertheless, it goes without saying, if you think you need SSH on your phone, at the very least change BOTH your 'root' and 'mobile' accounts' passwords, and turn off SSH altogether when you don't actually need it running.

Originally posted by BananaBonanza:Frankly, that comment shows a lack of understanding. The problem is not that the device has been modified. It's not worse an idea than running a Linux distro you downloaded off the net. In fact it's just as dangerous as doing it on any computer on which one has used admin privileges to install software once (i.e. nearly 100% of computers).

No. At least not if you use your brain while using your computer or your phone. The thing is that with Linux most software is Open Source and if you're really paranoid you can always compile everything from the sources (and check them before doing that). Even with closed source apps on a computer or phone you will have some real person or company to blame if it contains malware. Both of this tends to cool down any aspirations of potential evildoers by an astounding degree. A Linux distribution that would consist of binary (closed source) apps by unknown people wouldn't stand the chance of a snowflake in hell.

With Cydia you have the worst of all worlds combined: People who hide beyond screen handles and have no visible identity, binary apps, full access, users who blindly try everything because it's "freedom from Apple". Yeah. In practice instead of having Apple control what you can run or not, you allow any anonymous hacker on the planet to control what runs on your phone. This is exactly the kind of freedom you don't want.

Well, I have my iPod touch jailbroken, but I install only very few selected things. And when I had to check my bank account over it a while ago, I immediately felt a well-known tickling at my brainstem and at the next opportunity jumped at my Macbook and changed the password for the account. Don't trust anonymous hackers contributing binaries. This is common sense almost as "don't take unknown drugs given to you for free by unknown people".

Originally posted by uhuznaa:Anyway, jailbroken phones have loads of stuff installed that comes from some quite dark places of the net, with no easy way to track down the authors and no way to look at the sources of most apps. This worm is not the worst that can happen. While I don't like the control Apple exercises over the iPhone, Cydia is actually even worse. It totally lacks the openness of the Linux ecosystem and requires you to trust unknown people offering black-box binaries having full access to everything on the phone. While I think that most developers of code for jailbroken phones have no evil intentions at all, there's just too good an opportuntiy to not have someone yielding to the temptation sooner or later.

I'm not sure the "loads of stuff" from "quite dark places" is a fair statement, but there are certainly some questionable repos available that one uses at one's own risk.

Your entire complaint there applies to all software on the Internet, almost regardless of the source, and all computer platforms, not just Cydia and the iPhone.

Most of the 3rd party software I have on my Mac comes from small developers who may or may not have included harmful code in their packages, but certainly have not included the source code to let me check for myself.

The risks are there, but they are not unique, and I think if you stick to a few trusted sources you're probably relatively safe, but that's the same warning you have to give on any computer system, isn't it?

Originally posted by DistortedLoop:Most of the 3rd party software I have on my Mac comes from small developers who may or may not have included harmful code in their packages, but certainly have not included the source code to let me check for myself.

Doesn't matter. These developers are real, they are identifiable, they have a business and they will very much refrain from f*cking you from the behind. Call this theory, I call it empirical experience. Intentional malware in free or commercial software from real companies or individual developers are very, very rare. I don't know of a single case in Mac software. Malwarez from people managing to hide are legion. The Cydia ecosystem encourages people to offer tidbits of binary goods from behind the curtains. You need to betray yourself to *not* see the danger here.

Originally posted by DistortedLoop:Nevertheless, it goes without saying, if you think you need SSH on your phone, at the very least change BOTH your 'root' and 'mobile' accounts' passwords, and turn off SSH altogether when you don't actually need it running.

Yepp, and install SBSettings, which allows to activate/deactivate sshd from within any app with a simple swipe and tap. And who not changes the default password deserves everything he gets and if what he gets is just a new wallpaper and the hole plugged he can count himself really, really lucky. I think this guy deserves a medal, actually. Steve Jobs should send him a maxed out MacBook and an iPhone for free.

Originally posted by uhuznaa:Doesn't matter. These developers are real, they are identifiable, they have a business and they will very much refrain from f*cking you from the behind. Call this theory, I call it empirical experience. Intentional malware in free or commercial software from real companies or individual developers are very, very rare. I don't know of a single case in Mac software. Malwarez from people managing to hide are legion. The Cydia ecosystem encourages people to offer tidbits of binary goods from behind the curtains. You need to betray yourself to *not* see the danger here.

I'm not denying the risks, but it does matter. Installing software from an unknown party (shareware, unknown developer, etc) carries some risk, regardless of your platform, be it OS X, Linux, Windows, iPhone, Android, etc. Know your providers or be at some level of risk.

I'm not at all arguing that there aren't risks in the Cydia ecosystem, I'm arguing a point which you completely ignored originally and in your reply, which is simply that if you limit yourself to a few trusted sources you're probably relatively safe. Do you dispute that? (note my couching and qualifications with "probably" and "relatively")

Determining who you trust, and how you come to that conclusion is another story, and one that will clearly be different for each user and their own level risk/reward payoff or paranoia.

As far a real businesses not f*cking you from behind, don't we have a well-publicized case of Storm8 (an iPhone game developer) who allegedly stole phone numbers from iPhones, sent them back to the mothership and has sold them to telemarketers and who knows who else in the headlines right now? And all of that spyware-like activity going on right in Apple's very own walled garden of the AppStore. Perhaps not as bad as unknowingly downloading a Cydia binary that has root access and could theoretically send everything home, but assuming Apple's batting 1000 in protecting your privacy and that you're relatively safe is a bad assumption as well.

Originally posted by DistortedLoop:I'm not at all arguing that there aren't risks in the Cydia ecosystem, I'm arguing a point which you completely ignored originally and in your reply, which is simply that if you limit yourself to a few trusted sources you're probably relatively safe. Do you dispute that? (note my couching and qualifications with "probably" and "relatively")

How relative is relative? Can you easily get the name, address, phone number and business data (if any) of developers of Cydia apps in trusted sources as you can from any indy Mac developer? Yes, the Cydia developer himself I would call trustable, but how many levels of trust you're willing to take? I'm willing to take exactly one level of that. Anyone who offers me a piece of binary code and not gives me his real name is out. Full stop. It's that easy.

quote:

As far a real businesses not f*cking you from behind, don't we have a well-publicized case of Storm8 (an iPhone game developer) who allegedly stole phone numbers from iPhones, sent them back to the mothership and has sold them to telemarketers and who knows who else in the headlines right now? And all of that spyware-like activity going on right in Apple's very own walled garden of the AppStore. Perhaps not as bad as unknowingly downloading a Cydia binary that has root access and could theoretically send everything home, but assuming Apple's batting 1000 in protecting your privacy and that you're relatively safe is a bad assumption as well.

I do *not* defend Apple here, to make that clear. I also don't defend companies like Pinch Media, to spell a name. There's a lot of phoning home taking place in AppStore apps that I don't like. But this still is a very different thing from running unknown code from unknown people which may do much more than just phone home with rather innocent data for telemarketers. Spam is a bother, but having your credit account swiped or passwords spoofed upon is another thing.

What I'm actually arguing for is for Cydia being responsible and for the developers of jailbroken stuff taking a stand. Just divide Cydia in two sections: Open Source things by people having a name and everything else and have everything else only activated after a clear warning. I *hate* to trust people don't giving me sources and don't having a name.

Originally posted by DistortedLoop:Nevertheless, it goes without saying, if you think you need SSH on your phone, at the very least change BOTH your 'root' and 'mobile' accounts' passwords, and turn off SSH altogether when you don't actually need it running.

Yepp, and install SBSettings, which allows to activate/deactivate sshd from within any app with a simple swipe and tap. And who not changes the default password deserves everything he gets and if what he gets is just a new wallpaper and the hole plugged he can count himself really, really lucky. I think this guy deserves a medal, actually. Steve Jobs should send him a maxed out MacBook and an iPhone for free.

Well I for one didn't knew about a 'mobile' user having a default password as well, great so now I'm stupid too?

Originally posted by DistortedLoop:Nevertheless, it goes without saying, if you think you need SSH on your phone, at the very least change BOTH your 'root' and 'mobile' accounts' passwords, and turn off SSH altogether when you don't actually need it running.

Yepp, and install SBSettings, which allows to activate/deactivate sshd from within any app with a simple swipe and tap. And who not changes the default password deserves everything he gets and if what he gets is just a new wallpaper and the hole plugged he can count himself really, really lucky. I think this guy deserves a medal, actually. Steve Jobs should send him a maxed out MacBook and an iPhone for free.

Well I for one didn't knew about a 'mobile' user having a default password as well, great so now I'm stupid too?

I certainly didn't call you stupid!

Assuming you know how to change root's password, so I'll just make sure you know how to change 'mobile's.

If you're logged in as root, type the command:

su mobile

you'll be asked for mobile's password, which is alpine as default. Now you're running commands as 'mobile' so change password as normal by running the passwd command. There might be other ways to do it, but that's what Google is for.

Originally posted by DistortedLoop:I'm not at all arguing that there aren't risks in the Cydia ecosystem, I'm arguing a point which you completely ignored originally and in your reply, which is simply that if you limit yourself to a few trusted sources you're probably relatively safe. Do you dispute that? (note my couching and qualifications with "probably" and "relatively")

How relative is relative? Can you easily get the name, address, phone number and business data (if any) of developers of Cydia apps in trusted sources as you can from any indy Mac developer? Yes, the Cydia developer himself I would call trustable, but how many levels of trust you're willing to take? I'm willing to take exactly one level of that. Anyone who offers me a piece of binary code and not gives me his real name is out. Full stop. It's that easy.

quote:

As far a real businesses not f*cking you from behind, don't we have a well-publicized case of Storm8 (an iPhone game developer) who allegedly stole phone numbers from iPhones, sent them back to the mothership and has sold them to telemarketers and who knows who else in the headlines right now? And all of that spyware-like activity going on right in Apple's very own walled garden of the AppStore. Perhaps not as bad as unknowingly downloading a Cydia binary that has root access and could theoretically send everything home, but assuming Apple's batting 1000 in protecting your privacy and that you're relatively safe is a bad assumption as well.

I do *not* defend Apple here, to make that clear. I also don't defend companies like Pinch Media, to spell a name. There's a lot of phoning home taking place in AppStore apps that I don't like. But this still is a very different thing from running unknown code from unknown people which may do much more than just phone home with rather innocent data for telemarketers. Spam is a bother, but having your credit account swiped or passwords spoofed upon is another thing.

What I'm actually arguing for is for Cydia being responsible and for the developers of jailbroken stuff taking a stand. Just divide Cydia in two sections: Open Source things by people having a name and everything else and have everything else only activated after a clear warning. I *hate* to trust people don't giving me sources and don't having a name.

I don't disagree with any of that.

I trust Saurik and BigBoss, to name names. I despise Pinch Media, to name another name.

In the end I really don't care what anyone else's trust level is; that's clearly a personal choice, as I mentioned above.

I do get a bit bothered when sensationalist comments like "jailbroken phones have loads of stuff installed that comes from some quite dark places of the net" are made, which are frightening to those who don't know better, and can be distorted and used as fuel in the anti-jailbreak crusade many readers of these types of forums seem to be on. If that's what you believe, so be it, I respect your right to believe it, but I also insist on my right to say I think it's not quite an accurate statement.

I'm not accusing you of anything other than being a tad more cautious (or paranoid) than I think is necessary; however, I acknowledge it's better to err on the side of caution than not.

Originally posted by DistortedLoop:I'm not accusing you of anything other than being a tad more cautious (or paranoid) than I think is necessary; however, I acknowledge it's better to err on the side of caution than not.

Well, I think that the iPhone (and whatever it ignites) is quite a revolution in personal computing and that we should be careful and clear at what we tolerate and what not. For *me* the cutoff in accepting things on my devices has always been either full disclosure (source code) or straight responsibility (a name and a person or a company to blame and to go after if I need to). I don't know if this qualifies as paranoid, but I think these are clear and easy things to look out for and as such I like them. They make things easy and somehow directly addressable: Either I can look at the source if I have any doubts or I can go after someone. This is simple enough to be useful.

Originally posted by foresmac108:"...further lock down...," as in additional attempts on top of what Apple has already done. Just like you said. In no way do I imply that Apple hasn't made any previous effort to fix vulnerabilities that enable jailbreaking; the use of "further" implies, if anything, that there logically exists a previous effort.

OK, well, it wasn't my intention to contort your original meaning. I appreciate the response. I understand the logical implications of the word "further," however -- and I realise it's pedantic at this point -- I was questioning why this was worth mentioning, considering it's been a known fact from day one.

Unless you felt that it, combined with the linked article, was evidence that Apple would be doubling its efforts on completely locking out jailbreaks. I guess my overall point is that it'd have been nice to have a bit more analysis into that perspective rather than simply throwing it out there with nothing more than a blind link to a related article. For me, it left a disjointed connection that felt tenuous and unresolved. Tenuous because it felt as though it was doing two things: drawing on the old "jailbreaking = instability" and "Apple is an evil empire trying to stamp out freedom at every turn" arguments.

I'm probably isolated in that sentiment. Again, thank you for addressing my concern -- I do hope I wasn't overly critical -- I understand why you drew the connection now.

In these days where "+1" constitutes a legitimate comment, you're asking for an awful lot there. By the time they've typed "this" their short attention span is already off being distracted by some other shiny thing.

And if you want some fun, the Australian who made the rickrolling worm has a very unflattering article on Dramatica. But that kinda goes without saying, doesn't it?

What about SSH connections -within- the 3G network? Did you test a phone-to-phone SSH? Or did you only do Internet-to-phone attempt?

Yes. I tested iPhone to iPhone on AT&T by turning off WiFi on both of my iPhones, leaving sshd turned on on one, and used mobile terminal on the other phone to initiate an ssh connection to the data ip address reported by SBSettings & ifconfig in terminal on the sshd iPhone.

The connection times out.

Just for fun I also tested the ip address reported by Safari. Same result.

data address on both my iPhones are 10.xx.xxx.xxx, and ip address on Safari are in the 166.xx.xxx.xxx range.

I haven't tested if two phones on the same actual subnet are open to each other, I wouldn't think so, but it's untested.

Obviously same results, including a port scan returning nothing, when checking from my wired network to the iPhones.

I've asked Saurik and a few others via twitter if they can confirm AT&T does indeed block port 22, but no one's ever responded.

It would be nice if someone a bit more credible and competent than I did testing and identified what cell networks are at risk and what aren't. That's way beyond my scope, but might make a nice wiki page on the Dev-Team's Web site or one of the other big names in jailbreaking.

All that said, while you're network might be providing you some protection with port blocking or NAT, you're just silly if you run around with sshd running and default passwords.

Originally posted by uhuznaa:Well, I think that the iPhone (and whatever it ignites) is quite a revolution in personal computing and that we should be careful and clear at what we tolerate and what not. For *me* the cutoff in accepting things on my devices has always been either full disclosure (source code) or straight responsibility (a name and a person or a company to blame and to go after if I need to). I don't know if this qualifies as paranoid, but I think these are clear and easy things to look out for and as such I like them. They make things easy and somehow directly addressable: Either I can look at the source if I have any doubts or I can go after someone. This is simple enough to be useful.

An acceptable working model, if you're able to actually read source code and understand what each command is doing. The vast majority of iPhone users are not able to do that.

We agree that there is risk, but not to what extent, and how to address it on a personal level. That's the way of the world.

re: paranoid - I think feeling nervous and running home to change your banking password as quickly as you could certainly borders paranoia. I say this because there are clearly large numbers of "white hat" types in the iPhone jailbreak community, and it's hard to imagine that something malicious could make it into the Cydia world AND go undetected and unreported for very long. The risk is there for anything new, but if you stick to "trusted sources" I believe you to be more safe, than less.

I respect your "paranoia", I just don't share it. Hopefully I won't live to regret not sharing it! ;-)